Refactor Docker setup

Re-add ability to use Docker for development post-switch
to Cloud VPS. Support for Trove has been added, along with
a few tweaks (like moving execution to a non-root user,
as required by Symfony).

Also moved off of Toolforge images and onto global `php`
images, since CopyPatrol isn't expected to run on Toolforge
anymore.

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
         name: Build and test
         runs-on: ubuntu-latest
         steps:
-            -   uses: actions/checkout@v3
+            -   uses: actions/checkout@v4
                 with:
                     fetch-depth: 0
             -   name: Setup PHP
@@ -29,74 +29,59 @@ jobs:
                     ./bin/console lint:yaml ./config
                     ./vendor/bin/minus-x check .
                     ./bin/phpunit --exclude-group=integration
+    build_image:
+        name: Build Docker image
+        runs-on: ubuntu-latest
+        needs: build
+        steps:
+            -   name: Checkout code
+                uses: actions/checkout@v4
+
+            -   name: Set up QEMU
+                uses: docker/setup-qemu-action@v3
+
+            -   name: Set up Docker Buildx
+                id: buildx
+                uses: docker/setup-buildx-action@v3
+
+            - name: Build image
+              id: docker_build
+              uses: docker/build-push-action@v6
+              with:
+                  context: .
+                  file: docker/Dockerfile
+                  target: production
+                  tags: wikimedia/copypatrol:latest
+                  outputs: type=docker,dest=/tmp/copypatrol-production.image.tar
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
+
+            - name: Image digest
+              run: echo ${{ steps.docker_build.outputs.digest }}
+
+            - name: Upload Docker image to artifacts
+              uses: actions/upload-artifact@v4
+              with:
+                  name: image-production
+                  path: /tmp/copypatrol-production.image.tar
+    analysis:
+        name: Analyze Docker images
+        runs-on: ubuntu-latest
+        needs: build_image
+
+        steps:
+            - name: Download Docker image from artifacts
+              uses: actions/download-artifact@v4
+              with:
+                  name: image-production
+                  path: /tmp
 
-#    build_image:
-#        name: Build Docker image
-#        runs-on: ubuntu-latest
-#        needs: build
-#        strategy:
-#            matrix:
-#                targets:
-#                    - name: production
-#                      tag: wikimedia/copypatrol
-#                    - name: development
-#                      tag: wikimedia/copypatrol-development
-#        steps:
-#            -   name: Checkout code
-#                uses: actions/checkout@v2
-#
-#            -   name: Set up QEMU
-#                uses: docker/setup-qemu-action@v2
-#
-#            -   name: Set up Docker Buildx
-#                id: buildx
-#                uses: docker/setup-buildx-action@v2
-#
-#            - name: Build image
-#              id: docker_build
-#              uses: docker/build-push-action@v4
-#              with:
-#                  context: .
-#                  file: docker/Dockerfile
-#                  target: ${{ matrix.targets.name }}
-#                  tags: ${{ matrix.targets.tag }}:latest
-#                  outputs: type=docker,dest=/tmp/copypatrol-${{ matrix.targets.name }}.image.tar
-#                  cache-from: type=gha
-#                  cache-to: type=gha,mode=max
-#
-#            - name: Image digest
-#              run: echo ${{ steps.docker_build.outputs.digest }}
-#
-#            - name: Upload Docker image to artifacts
-#              uses: actions/upload-artifact@v2
-#              with:
-#                  name: image-${{ matrix.targets.name }}
-#                  path: /tmp/copypatrol-${{ matrix.targets.name }}.image.tar
-#    analysis:
-#        name: Analyze Docker images
-#        runs-on: ubuntu-latest
-#        needs: build_image
-#        strategy:
-#            matrix:
-#                targets:
-#                    - name: production
-#                      tag: wikimedia/copypatrol
-#                    - name: development
-#                      tag: wikimedia/copypatrol-development
-#
-#        steps:
-#            - name: Download Docker image from artifacts
-#              uses: actions/download-artifact@v2
-#              with:
-#                  name: image-${{ matrix.targets.name }}
-#                  path: /tmp
-#
-#            - name: Load image
-#              run: |
-#                  docker load --input /tmp/copypatrol-${{ matrix.targets.name }}.image.tar
-#                  docker image ls -a
-#            - name: Dive
-#              uses: yuichielectric/[email protected]
-#              with:
-#                  image: ${{ matrix.targets.tag }}:latest
-#                  github-token: ${{ secrets.GITHUB_TOKEN }}
+            - name: Load image
+              run: |
+                  docker load --input /tmp/copypatrol-production.image.tar
+                  docker image ls -a
+            - name: Dive
+              uses: MaxymVlasov/[email protected]
+              with:
+                  image: wikimedia/copypatrol:latest
+                  github-token: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -65,8 +65,80 @@ Assets are compiled using Webpack Encore. The compiled assets **must** be commit
 
 ## Installing using Docker
 
-_A new Docker image needs to be created following the move to Wikimedia VPS._
-_You can use the manual installation instructions above in the meantime._
+Development through Docker is suggested if you have a different version of PHP locally
+installed, or if you wish to keep an isolated installation of PHP 8.2 for CopyPatrol.
+
+1. Copy [.env](.env) to [.env.local](.env.local) and fill in the appropriate details.
+   1. Set `REPLICAS_HOST_*` and `TROVE_HOST` to `127.0.0.1`
+   2. Use the credentials in your `replica.my.cnf` file in the home directory of your
+      Toolforge account for `REPLICAS_USERNAME` and `REPLICAS_PASSWORD`.
+   3. Set the rest of the `TROVE_*` variables to that of the installation of the CopyPatrol
+      database (`COPYPATROL_DB_NAME`).
+   4. If you need to test OAuth, obtain tokens by registering a new consumer on Meta at
+      [Special:OAuthConsumerRegistration](https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration).
+      Alternatively, you can set `LOGGED_IN_USER` to any value to simulate being that user
+      after clicking on 'Login'.
+   5. If you need to test the "iThenticate report" functionality, set `TCA_DOMAIN` and `TCA_KEY`.
+      Reports older than `AppController::ITHENTICATE_V2_TIMESTAMP` need to connect to the older
+      iThenticate API, using the credentials set by `ITHENTICATE_USERNAME` and `ITHENTICATE_PASSWORD`.
+2. Build the development image once and install Composer dependencies with the following
+   ```bash
+   docker compose build
+   # On Windows, use `%CD%` instead of `$(pwd)`.
+   docker run --rm -ti -v $(pwd):/app wikimedia/copypatrol:development composer install
+   ```
+   Run the second command again every time you change `composer.json`, or when `composer.json`
+   is changed in an upstream commit. This can take a while on Windows.
+3. (*Windows only*) Set the `HOME` environment variable to your user profile directory.
+   ```cmd
+   setx HOME %UserProfile%
+   set HOME=%UserProfile%
+   ```
+   The first command sets `HOME` for future shells. The second command sets `HOME` for the current shell.
+4. Open a new terminal and start the development container with
+   ```bash
+   docker compose up
+   ```
+   Starting the local development server will be delayed until the next
+   step is finished.
+5. Open up an SSH tunnel to access the databases on Toolforge.
+   ```bash
+   # Your SSH config at $HOME/.ssh will be mounted into the container.
+   # Your passphrase will be requested if your private key is protected.
+   # If your Toolforge shell name is different from the default, append
+   # your shell name after "ssh". (e.g. `... start ssh exampleuser`)
+   docker compose exec copypatrol start ssh
+   ```
+   This terminal will stay open as long as SSH is connected. No successful
+   connection message is shown, but Symfony will start immediately once the
+   ports are open. This extra step is required for you to be able to enter
+   your SSH key password through a TTY.
+
+Changes to this folder will automatically be applied to the running Docker container. This includes
+changes to `src` files, `.env.local`, etc. XDebug is set up to connect to the host machine
+(the computer running the Docker container) on port 9003 upon request ([more info](https://xdebug.org/docs/step_debug)).
+
+If the Trove host changes, you must set the `TROVE_HOST` environment variable to the correct host.
+Review [OpenStack browser](https://openstack-browser.toolforge.org/project/copypatrol/database/copypatrol-dev-db-01) for
+the latest host.
+
+An XDebug configuration is provided by default. To customize this config, mount a
+`xdebug.ini` file to `/usr/local/etc/php/conf.d/xdebug.ini` in the container.
+
+<details>
+<summary>Production image</summary>
+
+A production image can be built with the following command:
+```bash
+docker build -t wikimedia/copypatrol:latest -f docker/Dockerfile .
+```
+This image does not contain XDebug or OpenSSH, and does not have an SSH tunnel to Toolforge.
+You can test it out by running the following command:
+```bash
+# On Windows, use `%CD%` instead of `$(pwd)`.
+docker run -ti --rm -p 8000:8000 wikimedia/copypatrol:latest
+```
+</details>
 
 ## Adding new languages
 

docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 # =========================================================
 #
 # This file allows anyone to start the CopyPatrol web interface
@@ -26,12 +24,17 @@ services:
         command: serve
         stdin_open: true
         tty: true
+        environment:
+            - TROVE_HOST
         extra_hosts:
             - host.docker.internal:host-gateway
         ports:
             - "8000:8000"
         volumes:
             # This binds your SSH configuration into the container.
+            # If you don't want to do this, comment this entry out.
+            # TODO: Disable `copypatrol` user access to /ssh, when that becomes possible.
+            # https://github.com/docker/roadmap/issues/398
             -   type: bind
                 source: "$HOME/.ssh"
                 target: "/ssh"
@@ -40,4 +43,8 @@ services:
             -   type: bind
                 source: "."
                 target: "/app"
-        stop_signal: SIGINT
+                read_only: true
+            -   type: bind
+                source: "./var"
+                target: "/app/var"
+        stop_signal: SIGINT